What would it be like if you could identify yourself and authenticate your account by the way you type? A Romanian company, TypingDNA, has created a Chrome extension that does just that.
I am a big advocate of two-factor authentication, but there are some problems. One of the three types of authentication is biometrics, which is “something you are.” NIST, in SP 800-63B states that the problem with biometrics are that they are neither a secret, nor are they replaceable in case of a breach. For example, you leave fingerprints everywhere, and you can’t run to the Thumbs’R’Us to get a new thumb if your enrolled thumbprint is spoofed.
Typing cadence, or how you type, is something that has been shown to be unique from user to user, and has been used as one of the newer biometric factors used in authentication. In the days of the telegraph and Morse code, a telegrapher’s “hand” or key cadence was seen to be unique, and a way to know that the sender was truly the person that was authorized to send the message. This concept was demonstrated in the beginning of the Bond movie “Dr.No.” So this concept has been around a while.
This Chrome extension already works with several on-line service providers, including Google and Gmail, of course, and Facebook, Dropbox, Evernote, Reddit, Microsoft Azure, and Amazon AWS.
There is the obvious problem with false negatives, where a legitimate user is unrecognized and asked to re-type credentials, but TypingDNA claims to have reduced this to 0.1% after the initial training period.
There are concerns that typing cadence systems could eventually be used to identify people using anonymizer and privacy services such as TOR or a VPN. But there is already a typing pattern randomizer extension for Chrome that would counteract this issue. (Surprise!)
In any event, typing cadence is another arrow in your authentication quivver. For those of you who are looking past two-factor authentication to multi-factor authentication, this could be one of the answers.
More information
Share
MAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com